Once again: Privacy promises from a company are worth nothing, because companies can’t promise anything

system-security-specialist-working-at-system-control-center-room-is-picture-id808157766

In the last post, I recalled that the only thing that matter whether data collection is taking place is whether it's technically possible, and that if you carry an electronic sensor, you must assume it to be active. Here's why it doesn't matter one bit if the sensor was made with "good guys" with exemplary and outstanding Terms and Conditions.

If data collection is possible, it is happening, and it will be used against the person it was collected from. That’s a reality which is provable with mathematical precision: the probability for data being collected is nonzero, and the probability for it being used against its owner is also some nonzero probability. Since neither of these probabilities are falling over time, then they will take place, with mathematical certainty. Therefore, the only way to have data not used against you is to make sure it’s not possible to collect it in the first place.

I hear a lot of people looking at “good guy” companies, and how they are standing up for privacy, so you can trust them with certainty. This is good, but it is not enough: a company can not just get a new management, it is also completely at the mercy of the government it is operating under.

In effect, a company does not even have agency to promise to protect any collected data. A few case studies:

In the Terms of Service of Dropbox, it was first stated that the files are encrypted, and that Dropbox employees are incapable of accessing your data. At some point, Dropbox mentioned that they’re doing server-side deduplication to store space. This is a compression technique where similar segments of files are only stored once. When this was mentioned, bright minds immediately realized that deduplication cannot take place unless Dropbox can determine that the files are similar, in which case they cannot be encrypted when this process happens. After an uproar, Dropbox changed its terms of service from employees being “incapable” of accessing client data, to employees being “not permitted” to access client data — which is an enormous difference, because it means the data is accessible to somebody walking into Dropbox offices and, say, flashing a badge. “Not permitted” counts for absolutely nothing.

Another case in point is Amazon Alexa, which is listening into your living room (just like a lot of other devices do). Amazon had promised to never share anything it heard in your home, promising you privacy. This promise was only valid up until a District Attorney wanted those recordings as part of an ongoing investigation, at which point Amazon’s promises were completely null and void.

The only way to make sure that your privacy is kept intact is to not have your data collected in the first place. Companies, even when they promise you privacy, have no legal right to promise you anything — for the very next day, the government can walk into the company’s offices and carry that data out with it. Therefore, reading Privacy Policies or Terms of Service in hopes of finding good promises that your data will be kept safe are pointless, because no company can legally make such promises.

The one exception to governments getting away with this kind of behavior would be the story of Lavabit, where the founder chose to close the entire company overnight rather than comply with a nastygram from the NSA demanding the mail correspondence of Edward Snowden. But this is the exception to the rule. There is no scenario where a company keeps its promise and stays open, when a government says it wants the data in the custody of that company.

Syndicated Article
This article was previously published at Private Internet Access..

Rick Falkvinge

Rick is the founder of the first Pirate Party and a low-altitude motorcycle pilot. He works as Head of Privacy at the no-log VPN provider Private Internet Access; with his other 40 hours, he's developing an enterprise grade bitcoin wallet and HR system for activism.

Leave a Reply to dls coins Cancel Reply

Your email address will not be published.

Since I'm not a robot spammer I'm also answering this easy question:

Discussion

  1. Anonymous

    “bright minds immediately realized that deduplication cannot take place unless Dropbox can determine that the files are similar, in which case they cannot be encrypted “
    Factually incorrect. Try googling a bit.

    1. Thijs

      It is possible to have some encryption and deduplication but the encryption has to be weakened. Some cloud services use hash based encryption.

    2. Kv

      Tell me how and I tell you how to extract data from it :)

  2. Sonic games Free Online

    Such a great place for playing online sonic games free of cost.

  3. dls coins

    Get dream league soccer hack from here within minute.

  4. gmail login

    It is possible to have some encryption and deduplication but the encryption has to be weakened. Some cloud services use hash based encryption.

  5. anaimal jam

    It is possible to have some encryption and deduplication but the encryption has to be weakened. Some cloud services use hash based encryption.

  6. saurav mittal

    useful article is here regarding the privacy

  7. chirag mittal

    nice article published here

  8. WSJ

    I appreciate Rick for such a great article!

arrow